How does an end user access the RAP Console on a RAP? How does an admin control access to the RAP Console on a RAP? How do I access the RAP Console behind a split-tunnel connection when the IP a

Question: How does an end user access the RAP Console on a RAP? How does an admin control access to the RAP Console on a RAP? How do I access the RAP Console behind a split-tunnel connection when the IP a.

Product and Software: This article applies to all RAP deployments that run ArubaOS 5.0 and later.

The RAP Console is a graphical user interface (WebUI) accessible by end-users connected to a remote access point (RAP) for trouble-shooting purpose. The RAP Console allows end users to view wired-port stats, broadcasted SSID, connected users (wired and wireless), and other system logs. This information is valuable for local administrators (who have no access to the controller GUI) or when the RAP is disconnected from the controller.

This article discusses how access can be granted or restricted by a network administrator to different types of users.

Granting User Access to the RAP Console

The RAP Console on a RAP can be accessed by end users who are connected to a RAP (wired or wireless) in split-tunnel or bridge mode by accessing this URL:

A user in split-tunnel mode can access the RAP Console if the user is assigned a role with access policy similar to this one:

ip access-list session corp-user

user any udp 68 deny

any any svc-dhcp permit

user alias corp any permit

user any any route src-nat

where 'corp' is an alias for all the IP addresses (usually private) used at a corporate. For example, this can defined as:

netdestination corp

network 10.0.0.0 255.0.0.0

For a user in bridge mode, the ACL is even simpler. For bridge users where IP addresses are assigned by the RAP, the ACL is as follows:

ip access-list session bridge-user-nat

any any svc-dhcp permit

any any any route src-nat

For bridge users where IP addresses are assigned by an uplink router, the ACL is as follows:

ip access-list session bridge-user

any any any permit

Blocking User Access to the RAP Console

In ArubaOS 5.0, we introduced a special alias called "localip", which dynamically resolves to the uplink IP address of the RAP (address of enet0 or the cellular uplink address). We can use this alias to restrict RAP Console access to end users. For example, to block access to split-tunnel user, we can use the following ACL:

ip access-list session corp-user-no-rap-console

user any udp 68 deny

any any svc-dhcp permit

user localip svc-http deny

user alias corp any permit

user any any route src-nat

To block access to bridge users, use the following ACL:

ip access-list session bridge-user-nat-no-rap-console

any any svc-dhcp permit

user localip svc-http deny

any any any route src-nat

Or

ip access-list session bridge-user-no-rap-console

user localip svc-http deny

any any any permit

Special Consideration If the IP Address Assigned to the RAP Clashes with the Corporate IP Address Space

If the IP address that is assigned to the uplink of the RAP clashes with the IP address space used at corporate, the RAP console might not be accessible. This situation usually happens when the RAP is connected to a network that also uses private IP addresses (for example, 10.0.0.0/8 or 192.168.0.0/16). This situation might also happen if cellular uplink is used, because the carrier might assign private addresses.